Can I skip having an information security program in place in Maine? What are the requirements?

Information Security Program Requirements in Maine

No, you cannot skip having an information security program in place in Maine if you are a licensee. According to MERS Section 2264, a licensee shall develop, implement, and maintain a comprehensive, written information security program based on the licensee’s risk assessment and containing administrative, technical, and physical safeguards for the protection of nonpublic information and the licensee’s information systems. The information security program must be designed to protect the security and confidentiality of nonpublic information and the security of the licensee’s information systems, protect against reasonably foreseeable threats or hazards to the security or integrity of nonpublic information and the licensee’s information systems, protect against unauthorized access to or use of nonpublic information and minimize the likelihood of harm to any consumer, and define and periodically reevaluate a schedule for retention of nonpublic information and a mechanism for its destruction when it is no longer needed ^[1.1].

Requirements for an Information Security Program

A licensee’s information security program must include the following:

1. Risk assessment: A licensee shall designate one or more employees, an affiliate, or another person to act on behalf of the licensee to be responsible for the licensee’s information security program. The licensee shall identify reasonably foreseeable internal or external threats that could result in unauthorized access to or transmission, disclosure, misuse, alteration, or destruction of nonpublic information, assess the likelihood and potential damage of the threats, assess the sufficiency of policies, procedures, and other safeguards in place to manage the threats, and at least annually, assess the effectiveness of the key controls, information systems, and procedures and other safeguards implemented to manage the threats ^[1.1].
2. Risk management: Based on its risk assessment, a licensee shall design its information security program to mitigate the identified risks, consider security measures, and implement the measures considered appropriate. The licensee shall include cybersecurity risks in the licensee’s enterprise risk management process, stay informed regarding emerging threats to or vulnerabilities of information systems, and provide its personnel with cybersecurity awareness training that is updated as necessary to reflect risks identified by the licensee in its risk assessment ^[1.1].
3. Oversight by board of directors: If a licensee has a board of directors, the board or an appropriate committee of the board shall require the licensee’s executive management or the executive management’s delegates to develop, implement, and maintain the licensee’s information security program and report to the board in writing at least annually the overall status of the licensee’s information security program and the licensee’s compliance with this chapter. If a licensee’s executive management delegates any of its responsibilities under this section, the licensee’s executive management shall oversee each delegate’s efforts with respect to the development, implementation, and maintenance of the licensee’s information security program and shall require each delegate to submit a report to the board ^[1.1].
4. Oversight of 3rd-party service provider arrangements: A licensee shall exercise due diligence in selecting its 3rd-party service providers and require each 3rd-party service provider to implement appropriate administrative, technical, and physical safeguards to protect and secure the information systems and nonpublic information that are accessible to or held by the 3rd-party service provider ^[1.1].
5. Program adjustments: A licensee shall monitor, evaluate, and adjust, as appropriate, its information security program consistent with any relevant changes in technology, the sensitivity of the licensee’s nonpublic information, internal or external threats to nonpublic information, and the licensee’s own changing business arrangements, such as mergers and acquisitions, alliances and joint ventures, outsourcing arrangements, and changes to information systems ^[1.1].
6. Incident response plan: As part of its information security program, a licensee shall establish a written incident response plan designed to promptly respond to and recover from any cybersecurity event that compromises the confidentiality, integrity, or availability of nonpublic information in its possession, the licensee’s information systems, or the continuing functionality of any aspect of the licensee’s business or operations. The incident response plan must address the internal process for responding to a cybersecurity event, the goals of the incident response plan, the definition of clear roles, responsibilities, and levels of decision-making authority, external and internal communications and information sharing, requirements for the remediation of any identified weaknesses in the licensee’s information systems and associated controls, documentation and reporting regarding cybersecurity events and related incident response activities, and the evaluation and revision as necessary of the incident response plan following a cybersecurity event ^[1.1].
7. Annual certification to superintendent: By April 15th annually, an insurance carrier domiciled in this State shall submit to the superintendent a written statement certifying that the insurance carrier is in compliance with the requirements set forth in this section. An insurance carrier shall maintain for examination by the superintendent all records, schedules, and data supporting this certification for a period of 5 years. To the extent that an insurance carrier has identified areas, systems, or processes that require material improvement, updating, or redesign, the insurance carrier shall document the identification and the remedial efforts planned and underway to address such areas, systems, or processes. The documentation required pursuant to this subsection must be available for inspection by the superintendent ^[1.1].

However, if you are a licensee with fewer than 10 employees, including any independent contractors working for the licensee in the business of insurance, you are exempt from section 2264 ^[1.2]. If you are subject to and in compliance with the federal Health Insurance Portability and Accountability Act of 1996, Public Law 104-191 and related privacy, security and breach notification regulations pursuant to 45 Code of Federal Regulations, Parts 160 and 164 and the federal Health Information Technology for Economic and Clinical Health Act, Public Law 111-5, you are considered to meet the requirements of this chapter, other than the requirements of section 2266, subsection 1 for notification to the superintendent, if you maintain a program for information security and breach notification that treats all nonpublic information relating to consumers in this State in the same manner as protected health information, annually submit to the superintendent a written statement certifying that you are in compliance with the requirements of this paragraph, and the superintendent has not issued a determination finding that the applicable federal regulations are materially less stringent than the requirements of this chapter ^[1.2].

Therefore, if you are a licensee in Maine, you must have an information security program in place that meets the requirements outlined in MERS Section 2264, unless you qualify for an exception under MERS Section 2269 ^[1.1][1.2].

Source(s):

• [1.1] Information security program
• [1.2] Application; exceptions

Jurisdiction

Maine

• Privacy